Slashdot Mirror

← Back to Stories (view on slashdot.org)

500 Million Users At Risk of Compromise Via Unpatched WinRAR Bug

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes: A critical vulnerability has been found in the latest version of WinRAR, the popular file archiver and compressor utility for Windows, and can be exploited by remote attackers to compromise a machine on which the software is installed. "The issue is located in the 'Text and Icon' function of the 'Text to display in SFX window' module," Vulnerability Lab explained in a post on on the Full Disclosure mailing list. "Remote attackers are able to generate own compressed archives with malicious payloads to execute system specific codes for compromise."

69 of 129 comments (clear)

  1. Huh? by gstoddart · · Score: 1, Interesting

    I must admit some of these security exploits elude me a little, but I've read both of TFAs, and I guess my question is "what the heck is this SFX window and what's it for"?

    Why the heck is an archiving program executing arbitrary code in the first place? That's crazy.

    --
    Lost at C:>. Found at C.
    1. Re:Huh? by gstoddart · · Score: 5, Funny

      You open first link, and you view the youtube video

      No way, opening links and viewing youtube videos is how you get exploited in the first place ... and it's sinful and could lead to dancing.

      --
      Lost at C:>. Found at C.
    2. Re:Huh? by sexconker · · Score: 2

      SFX refers to the self-extractor piece.
      It lets you compress a bunch o' shit, then package it as an executable file.
      The executable contains the compressed shit, the decompression algorithm, and a short script about where to unpack shit to, what to title the SFX window, etc.

      Run the executable and your 8 MB download turns into a 25 MB folder with shit in it.
      People distribute self-extractors because you don't need to rely on them having WinRAR installed, don't need to rely on them knowing where to put the files, etc.

    3. Re:Huh? by gstoddart · · Score: 1

      God damn you're stupid. You've never seen self-extracting archive? What the fuck are you doing on this website?

      Wondering how you whiny little punks all survived to adulthood while believing people give a crap about your opinions.

      --
      Lost at C:>. Found at C.
    4. Re:Huh? by thechemic · · Score: 2

      For years I have always renamed the archivefile.exe to archivefile.rar. This prevents it from running as an executable, and WinRAR opens it just fine. Trusting any archive file SFX is sinful indeed.

      --
      Let's make like a bird... and get the flock outta here.
    5. Re:Huh? by Gary+Perkins · · Score: 2

      Parent isn't creating the executables, he's downloading them from "untrusted sources" and doing the (admirably) paranoid thing by opening them with WinRAR rather than trusting the executable.

  2. BS by Anonymous Coward · · Score: 1

    If you download and willingly execute an .exe you're already fucked.

  3. Click-bait BS by pegr · · Score: 5, Insightful

    So a self-extracting RAR can be rigged to exploit your machine. A self-extracting RAR is an executable. So a executable from an untrusted source can exploit your box. Wake me when you have a real vulnerability.

    Oh, and samzenpus, that was the most clickbait bullshit Slashdot headline in months. You should be horsewhipped.

    1. Re:Click-bait BS by gstoddart · · Score: 2

      Oh, I don't know ... it's a real vulnerability, dated Monday, and rated as a 9 (I assume out of 10) ... in terms of being an actual thing and showing up in a timely manner, I'm not sure I'd call it clickbait.

      Now, anything Nerval's Lobster posts which links to Dice? That I'd call clickbait.

      --
      Lost at C:>. Found at C.
    2. Re:Click-bait BS by Anonymous Coward · · Score: 1

      You could already do that. Injecting malicious code into a legitimate executable is a well known tactic. This is literally "executable runs executable code" GASP!

    3. Re:Click-bait BS by sexconker · · Score: 1

      So can WinRAR - you just extract the archive instead of running the executable.
      See http://www.rarlab.com/vuln_sfx...

    4. Re:Click-bait BS by tlhIngan · · Score: 4, Insightful

      So a self-extracting RAR can be rigged to exploit your machine. A self-extracting RAR is an executable. So a executable from an untrusted source can exploit your box. Wake me when you have a real vulnerability.

      Actually, the problem is NOT the executable. The SFX part is NOT compromised at all. It's completely legitimate standard WinRAR SFX.

      However, the bug is that there's a buffer overflow in the SFX program - you can give it a malicious HTML file that cause it to execute code.

      The deal is that all a malicious user has to do is inject their file into a RAR archive and set a flag to have the SFX program show it as part of the SFX process. The SFX stub will check clean by all anti-virus because it's the same SFX stub as what WinRAR ships with.

      It's entirely possible that you cannot detect this - if the archive is password protected, for example, so you can't detect the bad HTML file at all. And the SFX will still check clean, but really infect your PC.

      The only workaround is to use WinRAR itself to open the SFX

    5. Re:Click-bait BS by avandesande · · Score: 1

      +1 First person to actually RTFA

      --
      love is just extroverted narcissism
    6. Re:Click-bait BS by BradleyUffner · · Score: 1

      However, the bug is that there's a buffer overflow in the SFX program - you can give it a malicious HTML file that cause it to execute code.

      So what you are saying is that an EXE file can execute code?

    7. Re:Click-bait BS by klui · · Score: 1

      I always tack on a .rar to any SFX so I could disable auto extract. I'm still using 3.93.

    8. Re:Click-bait BS by Barlo_Mung_42 · · Score: 1

      It sounds like the system will be protected if you're running as standard user instead of admin since it won't be able to elevate. Correct?

    9. Re:Click-bait BS by Gunstick · · Score: 1

      it was a so real vulnerability that the winRAR author set it into a WONTFIX. And he's right.

      --
      Atari rules... ermm... ruled.
    10. Re:Click-bait BS by zipmagic · · Score: 1

      Or, you switch to a tool that does everything better in the first place, and is 100% FREE on top: http://www.zipmagic.co/feature...

  4. Re:WinRAR by mrchaotica · · Score: 5, Informative

    On the contrary; WinRAR sucks because it isn't open source. Instead, it's proprietary, spammy nag-ware.

    7Zip, the actual open source competitor to WinRAR, is much better.

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  5. ... what? by thevirtualcat · · Score: 1

    So... you can use WinRAR to create an executable file that executes code?

    I guess I'd better get cl.exe and gcc off my systems, too.

    1. Re:... what? by KGIII · · Score: 1

      > implying that there's code for BeOS

      I think you're probably safe with that.

      --
      "So long and thanks for all the fish."
  6. TIL: People still use WinRAR instead of 7zip... by Anonymous Coward · · Score: 1

    And they're complaining about security flaws in closed-source, for-profit software.

  7. Re:WinRAR by ArmoredDragon · · Score: 1

    I have both 7zip and winrar installed, and I gotta say I much prefer using winrar over 7zip. The UI is just a lot more elegant and intuitive, and the shell integration works better.

  8. Re:500 million? by ArmoredDragon · · Score: 1

    I was surprised to learn that Winrar had that many users, considering it's a paid application. I'm one of those weirdos who did pay for it (they gave me a special for $15) even though I do indeed pirate a lot of stuff.

  9. Re:WinRAR by Ravaldy · · Score: 2

    On the contrary; WinRAR sucks because it isn't open source

    That's a bold statement because it goes either way. There are open source products that are better just because they are free and some are better because they simply are better. There are commercial products out there that outweigh open source products just because they have large teams with the right expertise and money to keep it going forward.

    7Zip, the actual open source competitor to WinRAR, is much better

    7Zip is better in many ways. Lightweight is the one major thing it has on WinRAR.

    7Zip would have the same issues if it offered a self extracting option.

  10. Re:Can we finally admit WinRAR is terrible? by SQLGuru · · Score: 2

    I don't even bother with 7z format because modern OSs support ZIP out of the box. I only install 7-zip for slightly better interface than the one built in to the OS, but I know that anyone I send the file to can read the file.

  11. Nothing new here by christose · · Score: 1

    Well... Not to underestimate the finding, but frankly it's nothing new. Executables may carry malicious code, no matter how innocent they look.

    To avoid running the executable, you can use WinRAR (or 7Zip etc) to open the SFX as if it were a regular archive.

  12. Re:WinRAR by sexconker · · Score: 1

    In terms of features, WinRAR is far better (most notable with customizable fault tolerance / recovery options, PAR files, the SFX module, etc.).

    In terms of compression performance, they're neck and neck. This has been true since the RAR5 format was released. A recent update to 7-Zip allowed for the opening of RAR5 archives, if you for some reason really hate WinRAR.

    In terms of freeness, 7-Zip is better if you care. 7-Zip is open source and costs nothing, while WinRAR is closed source and costs nothing for personal use (it'll popup a registration screen once in a while but it still runs with all features enabled).

    In terms of scripting up custom, complex compression tasks 7-Zip is far better.

    I use 7-Zip, but I installed WinRAR when people started using RAR5 archives (before 7-Zip supported opening them). I was pleasantly surprised at how fucking good it was. I still use 7-Zip primarily, but that's just because I have it installed everywhere.

  13. Re:WinRAR by slashdime · · Score: 1

    The SFX module is part of the UI. I wouldn't consider arbitrary code execution to be elegant.

  14. Re:WinRAR by xOneca · · Score: 1

    7Zip would have the same issues if it offered a self extracting option.

    7zip has self-extracting support.

  15. Re:WinRAR by dafradu · · Score: 1

    7Zip has the option to build self extraction archives.

  16. remote? by bmorency · · Score: 1

    How is this a remote exploit? It seems you have to download the malicious file and run it.

    1. Re:remote? by pegr · · Score: 1

      "remote" as in, unlikely to affect users smart enough to avoid running untrusted binaries.

  17. Re:Can we finally admit WinRAR is terrible? by Lendrick · · Score: 1

    I have 7zip installed because it can extract RAR files and it isn't WinRAR.

  18. Re:500 million? by fraxinus-tree · · Score: 1

    It is, well, optionally paid application. It nags you to pay if you open the main window, but it is mostly used as a shell extension (well, at least I use it that way). I decided to pay after years of hassle-free use.

  19. Re:WinRAR by fredgiblet · · Score: 1

    if you for some reason really hate WinRAR.

    Or if you just don't feel like having a ton of programs installed just for proprietary formats. I haven't run into anything that 7-zip couldn't open, so why would I bother installing anything else?

  20. Re:500 million? by fredgiblet · · Score: 1

    It's free for personal use and there's people out there that haven't heard of 7-zip.

  21. Re:WinRAR by Kjella · · Score: 1

    That's a bold statement because it goes either way. There are open source products that are better just because they are free and some are better because they simply are better. There are commercial products out there that outweigh open source products just because they have large teams with the right expertise and money to keep it going forward.

    This is not really one of those cases though, archiving has become a commodity and the only reasons WinRAR has a huge following is that it is old (1995) from before Windows XP came with built-in ZIP support , it became the de facto archive format on Usenet and there's no open specification so competing tools can't create RAR files. It does absolutely nothing special that other tools don't do.

    --
    Live today, because you never know what tomorrow brings
  22. Re:500 million? by kav2k · · Score: 1

    > It's free for personal use
    [citation needed]

  23. Re:WinRAR by GameboyRMH · · Score: 2

    Came here to say this.

    If you make .rar files, you're part of the problem.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  24. Re:Can we finally admit WinRAR is terrible? by kbonin · · Score: 1

    I've seen issues across several production environments where several .zip tools would miss files in very large archive sets, moving to .7z fixed these issues.

  25. Re:WinRAR by SirJorgelOfBorgel · · Score: 1

    Same here. I get blasted by people regularly for using WinRAR instead of 7-Zip, but I prefer it for the exact same reason you do. It's just more convenient to use. Hell, I even paid for it.

    However, to avoid warring about it and for the sake of ease of file exchange, I only create ZIP files. For the same reason, I am thoroughly annoyed by people using the 7-Zip format for archives. The few extra bytes saved is not worth the annoyance, neither for RAR nor 7z files.

  26. Legally prohibited from understanding RAR by tepples · · Score: 1

    7Zip is better in many ways. Lightweight is the one major thing it has on WinRAR.

    Some would claim that it isn't even the most major thing. The .7z format is documented, like the .zip format and notably unlike the .rar format, which all about about a dozen people are legally prohibited from understanding because of the UnRAR license.

  27. Making a scene release requires RAR by tepples · · Score: 1

    You would install WinRAR because someone requires you to submit an archive in RAR format and nothing but WinRAR (or command-line products from the same company) can create archives in RAR format. But in practice, I don't expect this to come up very often outside the warez scene, whose release standards have traditionally required split RAR.

    1. Re:Making a scene release requires RAR by fredgiblet · · Score: 1

      Yeah, that's not something normal people need. They require a fair amount of specialized software actually since their standards are pretty static from what I've seen.

    2. Re:Making a scene release requires RAR by Anonymous Coward · · Score: 1

      You know maybe it's about time the 'scene' updates their fucking standards.

    3. Re:Making a scene release requires RAR by CronoCloud · · Score: 1

      Maybe the "scene" should join the 21st century. As archaic as their rules are, you'd think they're running Win9x on P233's and installing WS_FTP, PKUNZIP and Trumpet WINSOCK on them.

      Maybe it's a russian pirate thing... RAR's programmer is Russian. So maybe all those Eastern European/Russian pirates in the warez scene are simply favoring "one of their own" rather than use the "generic industry standards" like tarballs and zip archives favored in the West.

      Also when I first heard of RAR, using it instead of ZIP, was trumpeted as some kind of sign of "leetness"

  28. Re:WinRAR by Anonymous Coward · · Score: 1

    I also have both and like WinRAR more.

    Open WinRAR
    go to Help/About WinRAR...
    click on the books
    This is why it's better.

  29. Sharewarez demons by tepples · · Score: 1

    What "scene"? Do you mean the warez scene? I thought it was still using RAR files split into several dozen pieces.

  30. Re:WinRAR by MobileTatsu-NJG · · Score: 1

    7zip isn't intuitive? How dumb do you have to be to type something like that.

    Surprisingly less dumb than somebody who responds to a remark that wasn't actually made.

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  31. Re:WinRAR by Ravaldy · · Score: 1

    Thanks to those who corrected me on the self extracting feature. I didn't know it was available.

  32. Re:WinRAR by Ravaldy · · Score: 1

    Agreed, but his statement was broad and assuming open source automatically equals better which we both know is not true. In this case it may be but lets not make it a rule of thumb.

  33. Re:WinRAR by sexconker · · Score: 1

    Up until August of 2015, 7-Zip could not open RAR5 archives (which were introduced introduced in August of 2013).

    So while YOU may have not run into anything that 7-Zip couldn't open, there were 2 years where 7-Zip couldn't open newer RAR archives.

  34. Critical vulnerability found in WinRAR? by nickweller · · Score: 1

    Using a self extracting winRAR file as a vector to run code on Windows - is a vulnerability is Windows.

    'Execution of poc.pl aborted due to compilation errors.'

  35. Re:WinRAR by chispito · · Score: 1

    I am thoroughly annoyed by people using the 7-Zip format for archives. The few extra bytes saved is not worth the annoyance, neither for RAR nor 7z files.

    What annoyance?

    --
    The Daddy casts sleep on the Baby. The Baby resists!
  36. Re:WinRAR by nickweller · · Score: 1

    @slashdime: "The SFX module is part of the UI. I wouldn't consider arbitrary code execution to be elegant."

    Yea, it's designed as standard behaviour. There's a post extraction utility that'll run any valid script. But who in their right minds runs somefile.exe on their 'computer'. Oh, wait, no need to answer that one.

  37. 500 million users at risk via unpatched Window bug by nickweller · · Score: 1

    See samzenpus, it's not difficult to think up an accurate title :)

  38. Re:WinRAR by fredgiblet · · Score: 1

    New RAR files made with the RAR5 format. I doubt it was a requirement, WinRAR could likely still use RAR4. Also the vast majority of compressed files I've encountered are .zip.

  39. Re:WinRAR by MobileTatsu-NJG · · Score: 1

    "The UI is just a lot more elegant and intuitive" implies that 7zip's interface is not intuitive as compared to WinRAR."

    Yes, that is the statement the OP made. You responded as if he had said:

    7zip is unintuitive.

    Which is a statement he did not make.

    Congratulations on winning the dumbass award.

    Mmm Hm.

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  40. Re: "Real" Names by hackwrench · · Score: 1

    You believe in the concept of a "real" name... How quaint. Sure there is such a thing as a legal name that you use on legal forms, and a lot of times people think that is your "real" name. But how real is it? Is it what your friends, family, acquaintances or coworkers call you? Probably not. I just put hackwrench into Bing and my slashdot page is on the first page of listings. My blog is in the first page of results in Google. That real enough for you?

  41. Re:WinRAR by dj245 · · Score: 1

    I have both 7zip and winrar installed, and I gotta say I much prefer using winrar over 7zip. The UI is just a lot more elegant and intuitive, and the shell integration works better.

    Me too. Winrar's interface is just better for me. It has tons of options for fine-tuning or customizing your work flow. I don't like change and they haven't really changed the interface much in a very long time. If it isn't broke, don't fix it.

    The RAR file format itself seems to have more features, probably because the guy makes money off his software and can afford to devote more time to responding to customer suggestions and requests. Winrar is paying the bills, Mr. Roshal and his brother are highly motivated to keep their customers happy. I can easily imagine an open source developer ignoring the feature/bugfix requests of others to work on whatever they feel like.

    --
    Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  42. Re:WinRAR by Anonymous Coward · · Score: 1

    7z has better compression, is typically faster, multi-platform, and FREE. Why people use winrar over 7z, I can't understand.

  43. Didn't winrar have a nag screen? by n3r0.m4dski11z · · Score: 1

    And require a crack to get working properly? Why would anyone still use that crap. As everyone else has said, 7-zip has I thought, been standard for like 5 years, which is eternity in internet time... Do the slashdot editors still use winrar or something because they are stuck in the glory days of yore?

    That, or they really are out of tune with the windows software scene.

    --
    -
  44. Re:500 million? by Barlo_Mung_42 · · Score: 1

    Relax man. You don't have to pretend to pirate "lots of stuff" just to fit in here. I almost always buy things that I like and find useful.

  45. Re:WinRAR by MobileTatsu-NJG · · Score: 1

    It's hard to take you seriously when all one has to do is scroll up.

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  46. Re: 1000s dying daily from starvation, deception.. by KGIII · · Score: 1

    But they're not very tasty.

    --
    "So long and thanks for all the fish."
  47. Re:Can we finally admit WinRAR is terrible? by driblio · · Score: 1
    File -> Add password...

    As I recall. HTH

  48. Re:WinRAR by zipmagic · · Score: 1

    7-Zip can be hard to use and install. ZIPmagic is 100% free for file compression, consumes the 7-Zip stack as well as supporting ZIPX for JPEG compression, and integrates with Windows Explorer for 100% transparent archive management (like ZIPfolders, but for 85+ archive types, including RAR and even the new RAR5 format). Things like drag/drop, copy/paste work seamlessly with ZIPmagic's archives-as-folders feature, transparently launching associated software and even updating the source archive when your changes are saved.

  49. Re:WinRAR by squeeze69 · · Score: 1

    Actually, 7-zip offers SFX. BTW: I agree, open source isn't a "magic bullet" for a good software.